From 069c6acabd3827c7e6fc5502627bec62d9b7d01d Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sun, 20 Jan 2013 22:47:26 +0100
Subject: [PATCH] Another update for an Issue #362

---
 lib/techniques/blind/inference.py | 9 ++++++++-
 plugins/dbms/firebird/syntax.py   | 2 +-
 plugins/dbms/sqlite/syntax.py     | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index 8e627701d..33a9efadb 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -180,7 +180,14 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             value are not equal there will be a deliberate delay).
             """
 
-            forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx, value))
+            if CHAR_INFERENCE_MARK not in payload:
+                forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx, value))
+            else:
+                # e.g.: ... > '%c' -> ... > ORD(..)
+                markingValue = "'%s'" % CHAR_INFERENCE_MARK
+                unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
+                forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
+
             result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
             incrementCounter(kb.technique)
 
diff --git a/plugins/dbms/firebird/syntax.py b/plugins/dbms/firebird/syntax.py
index 97d515f83..21a21b8e2 100644
--- a/plugins/dbms/firebird/syntax.py
+++ b/plugins/dbms/firebird/syntax.py
@@ -22,4 +22,4 @@ class Syntax(GenericSyntax):
         if isDBMSVersionAtLeast('2.1'):
             retVal = Syntax._escape(expression, quote, escaper)
 
-        return retVal
\ No newline at end of file
+        return retVal
diff --git a/plugins/dbms/sqlite/syntax.py b/plugins/dbms/sqlite/syntax.py
index 8e43c686a..83c0a4741 100644
--- a/plugins/dbms/sqlite/syntax.py
+++ b/plugins/dbms/sqlite/syntax.py
@@ -24,4 +24,4 @@ class Syntax(GenericSyntax):
         if isDBMSVersionAtLeast('3'):
             retVal = Syntax._escape(expression, quote, escaper)
 
-        return retVal
\ No newline at end of file
+        return retVal